Open Packages For *BSD

ctg1701 noticed that daemonews was running "a story today about openpackages for *BSD," and says "I am a big fan of the freebsd and openbsd operating systems and having a seamless way of creating packages on these and other platforms would be great. It seems they are also working on porting this over to HPUX and Mac OSX. Very cool stuff. Check it out at http://www.openpackages.org."

Re:Great news

[edhall]

What you ask for already exists. They're called "ports," and there is also talk of unified ports. (OK, well here are a few ports that are partly or wholy binaries, but for the most part the port mechanism is for fetching and building sources; you can take days perusing the source between a "make" and a "make install" if you like.)

I've built many a program from plain tarballs and even separately fetched source files. I see no reason for people to get "used" to such things again when there are mechanisms that make it much less likely to compromise security by misunderstanding a configuration option or to waste lots of time puzzling over include file dependencies and so on.

I think that in most cases, source browsing is among the least efficient uses of time in securing a system. If you assume from the start that the software will have bugs, and configure and compartmentalize it accordingly, you'll be miles ahead. Tens of thousands of people built sendmail and bind from source tarballs but serious security bugs still lurked unfound in both for years. What makes you think you'd be so much better at finding them? I know I'm not. That's why I employ wrappers, packet filters, chroot() and jail(), router ACLs, physical access controls, and so forth and so on.

In any case, pre-built tools aren't the answer for security, either; they're just another option, with its own tradeoffs. In the struggle to make the best use of my time, they can be most welcome.

-Ed

Re:Platform specifics.

[MO!]

Please check into the details of this project before asking such questions. The pupose is to consolidate the location of platform specific patches and apply them according to whick platform the port is being compiled on. So, on a FreeBSD 4.3 system, a simple "make install" will apply the FreeBSD 4.3 specific patches, compile, and install - even though the Darwin, MacOS X, HP/UX, etc patches are all located in the same place the FreeBSD patches are. This way, I can take the same "port" - makefile, patches, etc - and copy them to my MacOS X machine and do the same simple "make install". Then automagically I have both systems running platform specific builds of the same application with minimal effort.

packages & a large website

[abs0]

I'm watching the open packages work with a lot of interest. I'm responsible for a reasonable sized website (350 million hits a month) on a bunch of Linux boxes (recently added a few BSD :).

About two months ago I switched the linux boxes across to using pkgsrc (The NetBSD packge system). It has enabled me to massively reduce the amount of configuation/build magic required and to easily build on one box of each type and install binary packages across onto the others.

They're mainly apache, with some tomcat/jsp with a postgresql backend, nothing overly complicated, but there are various tweaks here and there and pkgsrc allows me to bring those updates forward without spending too much time on it.

Its also good to know if we get the Solaris boxes someone threatened then the packaging system is all ready to go :)

Right now pkgsrc gives me pretty much everything I want, but its good to see projects like openpackages bringing together even more people to work on a unified package system.

Great news

[joq]

Way to go BSD. On a slight twist of it all though, I'd like to know why is it so difficult for some to just download source as well for certain "mission critical" things such as running daemons on say an ecommerce machine.

Sure pkg_add'ing is good since it eases things up, but how does this bode for those who like to scrutinize code, and check for bugs before installing something on their machine. Don't get me wrong now, not saying check line for line everything you download because $INSERT_SECURITY_PARANOIA_HERE , but it would be nice for people to get used to good old source again, as well as the easier ports, and pkg'ing programs.

Sounds off base a slight bit, but hopefully someone can compile my thought for me, 3hours sleep a day does a mind no good.

Platform specifics.

[serts]

Perhaps I didn't catch the full idea behind this, but wasn't the whole idea behind the ports tree to provide system specific patches and configurations dependant on the platform at hand?
Personally, I'd prefer to have the software I'm using configured specifically for my platform, not a generic mismatch of options.
Or will the different package sets still differ form system to system, with a common management tool?

Re:Great news

[Moderator]

You have the option under FreeBSD to just download the port and then have it unzipped so that you can actually modify the source, if that's what you're asking. I've done this several times before, then a make all install finishes compiling and installing the ports.

--

Porting to MacOS X?

[zzen]

Claiming porting projects are under way for HP UX is OK, but with MacOS X, this is inaccurate.

MacOS X has been a target from the very beginning, as have been all other BSDs (NetBSD, FreeBSD, OpenBSD and Darwin). On top of it, Apple one of the sponsors of this project and has some of it's engineers working on it. The official policy is "anybody is welcome to do a port to any other platform".

Oh - and openpackages contain source, not binary. The project aims to produce standardized "make(1) and pkg_*(1) tools". It occured to me some previous posters understood it the other way...

http://www.openpackages.org/ [openpackages.org]